Npower has permanently withdrawn its mobile app after hackers used it to access its customers’ personal details, including the sort codes and the last four digits of their bank accounts.
The hack, which cybersecurity experts said left the firm’s customers “wide open to fraud”, is understood to have taken place around the start of February.
The company declined to say how many of its gas and electricity customers are affected by the breach, but said it had contacted them.
It’s the latest setback for Npower’s parent company E.ON which took it over in 2019 and has been migrating over what’s left of the 3.6 million customers it inherited.
In December, E.ON was forced to apologise after it took January’s direct debits 11 days early, telling those affected that they will not get a refund until after Christmas.
At the end of January, E.ON’s app – which lets customers access their accounts and input their latest readings – stopped working for about two weeks.
Npower said on Friday that this was unrelated to its cyber-attack. Its app will not be reinstated, and customers must use the website to access their accounts, it said.
“We identified suspicious cyber-activity affecting the Npower mobile app, where someone has accessed customer accounts using login data stolen from another website,” said an Npower spokeswoman.
“We’ve contacted all affected customers to make them aware of the issue, encouraging them to get advice on how to prevent unauthorised access to their online account. We immediately locked any online accounts that were potentially affected. We also notified the Information Commissioner’s Office [ICO] and Action Fraud. Protecting customers’ security and data is our top priority.”
Sign up to the daily Business Today email or follow Guardian Business on Twitter at @BusinessDesk
A cybersecurity expert, Ray Walsh of ProPrivacy saidthose who have used the app should immediately check their bank statements for unusual activity.
“The breach included sort codes and the last four digits of customer bank account numbers, leaving them wide open to fraud. Hackers now have access to all the user credentials and passwords from the Npower app, which means that consumers must change the passwords of any accounts that use the same details.
“The probability that consumers will also now receive phishing emails is high, so it is essential that consumers watch their inboxes carefully for any emails that coerce them into following links or ask for personal information,” he said.